As with any other large-scale set of standards, rules, regulatory frameworks, or laws; in time, few or multiple disadvantages and weaknesses were observed and brought to the public’s attention. The Common Criteria standard makes no exception, and there are numerous instances where its working principle, implementation and costs were contested, mainly on issues concerning financial costs and effectiveness.

This page will provide a brief overview of some of the criticism that has been seen through the years about the Common Criteria, as well as the reasons behind the respective criticism.

Most of the criticism was received from the Government Computing News group, which conducted a thorough analysis of the Common Criteria methodology and its undertakings, especially regarding its implementation in the United States, and at the end of the analysis process, they concluded several aspects:

  • The evaluation process is a highly costly undertaking, its magnitude being commonly in the range of hundreds of thousands of US dollars, in the context where a producer’s investment return isn’t guaranteed at all;
  • The evaluation process is mainly centered on ascertaining the respective evaluation documentation, rather than the actual security protocols and measures, this resulting in less attention to the technical accuracy or the characteristics of the product itself;
  • The amount of time and effort put into the pre-evaluation process and evidence preparation is often-times extensive, and the process in itself can be seen as quite troublesome, especially for large-scale environments and computing systems. This translates into the fact that often-times, by the end of the evaluation pre-processing deployment, the target of evaluation might become an obsolete product;
  • The feedback provided by the industry and the various organizations which rely on the Common Criteria standard is generally neglected and has very little importance in the development process and improvement of the standard itself or the processes entailed in the evaluation framework.